OAuth1 Token TTL Enforcement Notice for Developers
What is this?
This notice informs developers of enforcement of OAuth1 token Time-To-Live (TTL) limits for API access.
OAuth1 access tokens will have a maximum lifetime of 90 days from issuance.
What does it do?
OAuth1 tokens must be refreshed or reauthorized before they reach the 90-day TTL limit.
After a token expires, requests using that token will fail with a 401 authentication error until a new valid token is used.
To create a new access token after expiration, apps must complete the OAuth1 re-authorization flow described in the Authentication documentation.
What won’t change?
Existing OAuth1 authentication flows, key management, and approved app access policies remain the same.
This update only enforces token lifetime validity and does not change endpoint behavior, scopes, or Schoology App Center approval requirements.
Additional Security for OAuth/API Keys on 3rd Party Apps
What is this?
This update introduces additional security measures for OAuth/API keys used by 3rd party apps to access data in Schoology from June 25, 2025
This does not affect apps in the Schoology App Center.
What does it do?
This will ensure that Personal API keys cannot access other user data. Integrations using Personal API keys will receive a 401 error.
What won’t change?
This will not affect Schoology App Center applications.
Apps that are unpublished or available only within the school will continue to access users within the same school without changes.
Schoology App Center Approval Requirement:
Moving forward, apps must be approved by Schoology to access data from other schools. Unapproved apps will receive a 401 error when attempting to access user data. Please ensure all necessary actions are taken before the mandatory activation date to avoid possible disruptions. If you have any questions or would like to opt in sooner than the mandatory date, please reach out to our support team.